0

I was trying to download Qt framework. I went to its Official site (I'm sure, I checked in Wikipedia) for Visual Studio. But when attempting to download Qt for Windows, my Firefox shows this message:

enter image description here

I also scanned using the IP address shown by Firefox and found something suspicious like this: "Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset."

My questions:
Qt is a famous and recognized framework then how could it serve as malicious or attack page? Can I download from the website? or something is suspicious?

EDIT: Is this a bundler?

I have verified both its SHA-1 and MD-5 hash from the Qt home page. I tried to install Qt on my Windows, but my anti-virus found something strange when installing it? What it does mean?

Is open source download come along with a bundler? because making collisions for one algorithm is OK but all the Hashes are same MD,SHA-1,SHA-256 or it is just a false positive?

EDIT THREE: [HASH CONFIRMATION]: enter image description here enter image description here

schroeder
  • 125,553
  • 55
  • 289
  • 326
VISWESWARAN NAGASIVAM
  • 283
  • 2
  • 15
  • 2
    Judging from a quick superficial WHOIS, 183.91.33.11 seems to be unrelated to Qt. Registered to ChinaNet. I get a different IP by resolving Qt's official site (https://qt.io); 62.116.130.8 Could you confirm that that's the domain you tried? – Fluffy May 19 '16 at 12:20
  • @Fluffy No, If we download something(from open source) it redirects to 183.91.33.11 Thank you – VISWESWARAN NAGASIVAM May 19 '16 at 12:23
  • Wikipedia points to qt.io and has not been edited in a while. The page seems to be clean and has a different IP from the one that you gave. Plus the Virustotal scan showed no warnings, seemingly negating the warning from Firefox. Are you sure you went to qt.io? – AstroDan May 19 '16 at 12:24
  • @AstroDan No, If we download something(from open source for VS) it redirects to 183.91.33.11 and suspicious message in firefox displays Thank you – VISWESWARAN NAGASIVAM May 19 '16 at 12:27
  • The open source .exe is also hosted on "http://download.qt.io/official_releases/online_installers/qt-unified-windows-x86-online.exe" for me. I cannot reproduce your issue but perhaps the lack of https could leave an opportunity for you to be MitM'd. – Fluffy May 19 '16 at 12:28
  • @Fluffy I'm not a information security expert for now but the link was broken(404 error) and am I in Man in the Middle attack? could you be briefer? – VISWESWARAN NAGASIVAM May 19 '16 at 12:39
  • @VISWESWARAN1998 did you say that whenever you download ANY open source code you get redirected to that IP? It appears clear that you *are* being redirected, and it is not QT's fault. I'd look into why you are getting redirected in the first place. – schroeder May 19 '16 at 15:01
  • @schroeder Whenever I download open source code/packked exe for a specific version of visual studio I get redirected to that IP. How it could not be Qt's fault? Because I just clicked the download link provided in the Official website. P.S there are also different mirrors but It is quite hidden(one should notice carefully) but I suspect many could have downloaded from that IP – VISWESWARAN NAGASIVAM May 19 '16 at 17:20
  • @VISWESWARAN1998 you said that if you download *ANY* open source, which seems to mean not just Qt, but any open source project. If that is true, then it is not Qt's fault. Can you confirm that this problem is just for Qt? – schroeder May 19 '16 at 17:40
  • ok - that's exactly what I was asking for, thank you. For one last test, can you upload that qmltestrunner.exe to virustotal to see what it says? – schroeder May 19 '16 at 18:35
  • @schroeder When I tried to analyse the file in Virus Total it surprisingly shows "Accesses denied message" I don't know why because I could even analyse the file present in my windows folder. Then I tried changing the install location to my portable hard disk but even in that drive I could not even copy the qmltestrunner.exe out of the folder i.e it is located in the bin folder and I could not cut,copy,rename,compress the file this is annoying. My portable hard disk has no permission i.e any one can copy anything from the drive. – VISWESWARAN NAGASIVAM May 20 '16 at 03:41

1 Answers1

-1

Before going brief ,I have noted the following things from your question :

  • You were visiting the mirror site of some malicious website

  • The official link differs from the url which you have downloaded

I was able to reproduce the problem while analysing the mirror site and it was flagged as malware as per the virustotal report

enter image description here

Now as you haven't downloaded the image[my rough guess] ,you might be safe from the vulnerable file ,if you have accidentally downloaded it try to remove the file completely and run some AV Scans.

Other than that there were less chances for you as MITM victim,If you still doubt it run a quick traceroute to your router ,if it shows external IP you might be a victim,Also have a look at the MITM question which was asked before over here .Also download the file from official site and verify by generating its checksum.

Community
  • 1
BlueBerry - Vignesh4303
  • 5,097
  • 13
  • 34
  • 63